Search Images Maps Play YouTube News Gmail Drive More »
Sign in
Screen reader users: click this link for accessible mode. Accessible mode has the same essential features but works better with your reader.

Patents

  1. Advanced Patent Search
Publication numberUS20010005889 A1
Publication typeApplication
Application numberUS 09/741,084
Publication dateJun 28, 2001
Filing dateDec 21, 2000
Priority dateDec 24, 1999
Also published asEP1111507A2, EP1111507A3, US7020895
Publication number09741084, 741084, US 2001/0005889 A1, US 2001/005889 A1, US 20010005889 A1, US 20010005889A1, US 2001005889 A1, US 2001005889A1, US-A1-20010005889, US-A1-2001005889, US2001/0005889A1, US2001/005889A1, US20010005889 A1, US20010005889A1, US2001005889 A1, US2001005889A1
InventorsMikael Albrecht
Original AssigneeF-Secure Oyj
Export CitationBiBTeX, EndNote, RefMan
External Links: USPTO, USPTO Assignment, Espacenet
Remote computer virus scanning
US 20010005889 A1
Abstract
A method of scanning electronic files for computer viruses comprises identifying at a first node 4 of a computer network 1, electronic files which require to be scanned for computer viruses. The first node 4 initiates a dialogue with a second node 7 of the network 1, the second node comprising a virus scanning application. During the dialogue, the second node 7 identifies to the first node 4 one or more portions of the electronic file required by the virus scanning application. The first node 4 transfers the identified portions to the second node 7 which then carries out a virus scanning operation. The result of this operation is then returned to the first node 4.
Images(3)
Previous page
Next page
Claims(14)
1. A method of scanning electronic files for computer viruses, the method comprising:
identifying at a first node of a computer network, electronic files which require to be scanned for computer viruses;
initiating a dialogue between said first node and a second node of the network, the second node comprising a virus scanning application, during which dialogue the second node identifies to the first node one or more portions of the electronic file required by the virus scanning application; and
transferring the identified portion(s) from the first node to the second node over the network.
2. A method according to
claim 1
and comprising identifying electronic files which require virus scanning, at a plurality of first nodes of the computer network and initiating a dialogue between the first nodes and the said second node when appropriate.
3. A method according to
claim 1
, wherein the first node and the second node are located at respective different locations in the computer network.
4. A method according to
claim 1
, wherein the first node is one of a database server, electronic mail server, an Internet server, a proxy server, or a firewall server.
5. A method according to
claim 1
, wherein the dialogue is carried out using a network protocol carried by IP.
6. A method according to
claim 1
and comprising analysing the file portions received at the second node to determine whether or not the file contains a virus or cannot be guaranteed to not contain a virus, and returning the result to the first node over the network.
7. A method according to
claim 6
and comprising transferring from the second node to the first node data portions to be written into the file to disinfect the file.
8. A method according to
claim 6
and comprising sending instructions from the second node to the first node to inform the first node how to disinfect the file.
9. An anti-virus scanning system for use in scanning electronic files in a computer network, the system comprising:
a first computer having processing means arranged to identify electronic files which should be scanned for computer viruses; and
a second computer having processing means arranged to perform a virus scanning operation,
the first computer further comprising communication means for initiating a dialogue between the first computer and the second computer, during which the second computer identifies to the first computer those portions of the electronic files required by the first computer for performing the virus scanning operation, and for transferring those portions to the second computer.
10. A computer memory encoded with executable instructions representing a computer program for causing a first computer connected to a computer network to:
identify electronic files which require to be scanned for computer viruses;
initiate a dialogue between the first computer and a second computer also connected to the computer network;
receive from the second computer an identification of portions of the electronic file which are required for virus scanning of the electronic files at the second computer; and
transfer the identified portion from the first computer to the second computer.
11. A computer memory encoded with executable instructions representing a computer program for causing a first computer connected to a computer network to:
receive a dialogue initiation request from a second computer also connected to the computer network concerning an electronic file identified by the second computer as requiring a virus scan;
identify to the second computer those portions of the electronic file which are required by the first mentioned computer for performing a virus scanning operation at the first computer; and
receive the identified portions of the electronic file from the first node.
12. A method of disinfecting an electronic file stored at a first node of a computer network, after the file has been identified as containing a virus by a virus scanning engine located at a second network node, the method comprising:
sending from the second node to the first node, data portions to be written into the infected file and/or instructions for disinfecting the file; and
receiving the data portions and/or instructions at the first node and writing the data portions into the infected file and/or carrying out said instructions.
13. A method according to
claim 12
, wherein said first and second nodes are respective computer workstations coupled to a common network.
14. A method according to
claim 13
, wherein the workstation corresponding to the second node is arranged to communicate with a plurality of workstations corresponding to respective second nodes.
Description
    FIELD OF THE INVENTION
  • [0001]
    The present invention relates to remote computer virus scanning and in particular to virus scanning in a system where data to be scanned is transferred from an agent to a scanning engine located on a central server. The invention is applicable in particular, although not necessarily, to a system in which the agent and the server exist at different locations.
  • BACKGROUND TO THE INVENTION
  • [0002]
    Computer viruses are a well recognised problem in the computer and software industry and amongst computer users in general. Whilst early approaches to virus detection relied upon providing an anti-virus software application, capable of detecting previously identified viruses or suspect files, in each individual computer, the recent growth in network computing has led to the introduction of gateway based solutions. This approach involves supplementing, or in some cases replacing, the anti-virus applications running on individual computers connected to a network with anti-virus applications running on the gateway (or gateways) which connects the network to the outside world. Such a gateway based anti-virus application is typically provided at a firewall, although it may also be provided at an Internet server, mail server, etc. An anti-virus application may also be provided at a database server of the network to screen data transfers to and from a central storage location.
  • [0003]
    One network approach embodied in the F-Secure Anti-Virus Agent and Server™ product (Data Fellows Oyj, Espoo, Finland) offers an improved solution in which “agents” are located at various transit nodes of a network and identify data which is capable of containing a computer virus (by for example examining file name extensions). The intercepted suspect data is then transferred by the agent, over the network, to a central server comprising an anti-virus scanning application which performs a virus scan on the data. The result of the virus scan is returned from the central server to the agent which initiated the scan. The advantage of this approach as compared to conventional gateway scanning is that it is only necessary to provide one or a small number of scanning applications in a network. This reduces the maintenance overheads for the anti-virus application (e.g. by reducing the number of virus updates required) and also reduces the processing overheads at the machines where the agents are located. It follows that the anti-virus application is more likely to be kept up to date, and hence the security of the network is improved. A further advantage of the agent and server solution is that the scanning engine can be designed to run on one or only a small number of platforms, whilst the agent may be designed to run on a larger number of platforms—it is relatively easy to “port” the agent to different platforms as compared to the scanning engine.
  • [0004]
    A disadvantage of the approach described in the preceding paragraph is that it may require the transfer of relatively large volumes of data over a computer network. This can slow down the virus scanning operation and may also result in network traffic congestion, having a knock-on effect on non-virus scanning related traffic. The transfer of unsecure information over a network may also introduce security risks.
  • SUMMARY OF THE PRESENT INVENTION
  • [0005]
    The inventor of the present invention has realised that in many cases, although large volumes of data may be transferred between an agent and a central virus scanning server, the scanning application actually only looks at or examines a relatively small proportion of this data. For example, the scanning application may in some cases be able to tell that a document is not infected with a virus merely by looking at the template-bit in the header of a Microsoft Word™ document.
  • [0006]
    It is an object of the present invention to overcome or at least mitigate the above noted disadvantages. In particular, it is an object of the present invention to reduce the volume of data which must be transferred between an agent and a server for the purpose of virus scanning.
  • [0007]
    These and other objects are achieved at least in part by transferring from an agent to a virus scanning server substantially only those portions of a file which are actually required by the scanning engine.
  • [0008]
    According to a first aspect of the present invention there is provided a method of scanning electronic files for computer viruses, the method comprising:
  • [0009]
    identifying at a first node of a computer network, electronic files which require to be scanned for computer viruses;
  • [0010]
    initiating a dialogue between said first node and a second node of the network, the second node comprising a virus scanning application, during which dialogue the second node identifies to the first node one or more portions of the electronic file required by the virus scanning application; and
  • [0011]
    transferring the identified portion(s) from the first node to the second node over the network.
  • [0012]
    Embodiments of the present invention do not necessarily require the transfer of entire electronic files from the agent to the server. Rather, the embodiments only require those parts which are of direct interest to the scanning application to be transferred. For example, the scanning application may require the transfer of only a header portion of an electronic file or of a block of data pointed to by a jump instruction located in the header. In addition to reducing the volume of network traffic, embodiments of the present invention increase network security by avoiding the need to transfer entire files on a possibly insecure network.
  • [0013]
    Preferably, the method of the present invention involves identifying electronic files which require virus scanning, at a plurality of first nodes of the computer network. A dialogue is then initiated between the first nodes and the said second node when appropriate. That is to say that a set of first nodes may be served by a single scanning application existing at a second node.
  • [0014]
    It will be appreciated that the first node(s) and the second node may be located at respective different locations in the computer network. These nodes may be personal computers workstations, etc.
  • [0015]
    The first node may be, for example, one of a database server, electronic mail server, an Internet server, a proxy server, or a firewall server.
  • [0016]
    The first and second nodes preferably conduct said dialogue using a network protocol such as CVP or FNP (Data Fellows Oyj, Espoo, Finland), although the protocol may require some modification. The network protocol typically is carried by a transport protocol such as IP, IPX, or Net BEUI.
  • [0017]
    Preferably, the method comprises analysing the file portions received at the second node for each file to be scanned, to determine whether or not the file contains a virus or cannot be guaranteed to not contain a virus. More preferably, the result of this analysis is sent to the first node over the network.
  • [0018]
    In the event that a file is identified as containing a virus, the second node may initiate a dialogue with the first node and transfer to the first node data portions to be written into the file to disinfect the file (this process may also require the transfer of additional file portions from the first to the second node for modification at the second node). The first node may then write the data portions into the file, erasing other portions if necessary. Alternatively, the second node may send instructions to the first node to inform the first node how to disinfect the file.
  • [0019]
    According to a second aspect of the present invention there is provided an anti-virus scanning system for use in scanning electronic files in a computer network, the system comprising:
  • [0020]
    a first computer having processing means arranged to identify electronic files which should be scanned for computer viruses; and
  • [0021]
    a second computer having processing means arranged to perform a virus scanning operation,
  • [0022]
    the first computer further comprising communication means for initiating a dialogue between the first computer and the second computer, during which the second computer identifies to the first computer those portions of the electronic files required by the first computer for performing the virus scanning operation, and for transferring those portions to the second computer.
  • [0023]
    According to a third aspect of the present invention there is provided a computer memory encoded with executable instructions representing a computer program for causing a first computer connected to a computer network to:
  • [0024]
    identify electronic files which require to be scanned for computer viruses;
  • [0025]
    initiate a dialogue between the first computer and a second computer also connected to the computer network;
  • [0026]
    receive from the second computer an identification of portions of the electronic file which are required for virus scanning of the electronic files at the second computer; and
  • [0027]
    transfer the identified portion from the first computer to the second computer.
  • [0028]
    According to a fourth aspect of the present invention there is provided a computer memory encoded with executable instructions representing a computer program for causing a first computer connected to a computer network to:
  • [0029]
    receive a dialogue initiation request from a second computer also connected to the computer network concerning an electronic file identified by the second computer as requiring a virus scan;
  • [0030]
    identify to the second computer those portions of the electronic file which are required by the first mentioned computer for performing a virus scanning operation at the first computer; and
  • [0031]
    receive the identified portions of the electronic file from the first node.
  • [0032]
    According to a fifth aspect of the present invention there is provided a method of disinfecting an electronic file stored at a first node of a computer network, after the file has been identified as containing a virus by a virus scanning engine located at a second network node, the method comprising:
  • [0033]
    sending from the second node to the first node, data portions to be written into the infected file and/or instructions for disinfecting the file; and
  • [0034]
    receiving the data portions and/or instructions at the first node and writing the data portions into the infected file and/or carrying out said instructions.
  • [0035]
    Preferably, said first and second nodes are respective computer workstations coupled to a common network. The workstation corresponding to the second node may be arranged to communicate with a plurality of workstations corresponding to respective second nodes.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • [0036]
    [0036]FIG. 1 shows schematically a data network having a central virus scanning server;
  • [0037]
    [0037]FIG. 2 illustrates communication protocols used between the virus scanning server of FIG. 1 and an agent located at a node of the network;
  • [0038]
    [0038]FIG. 3 illustrates data traffic between and agent and a virus scanning server in the network of FIG. 1; and
  • [0039]
    [0039]FIG. 4 is a flow diagram illustrating a virus scanning operation of the network of FIG. 1.
  • DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT
  • [0040]
    A computer data network (illustrated generally by reference numeral 1) is shown in FIG. 1 and comprises a number of users or clients 2. These users include an administrator's workstation 2 a, one or more notebook computers 2 b, a number of computer workstations 2 c, and a server 2 d. The network comprises a physical wire network (Local Area Network (LAN)) 3 to which each of the users 2 is connected via respective network cards (generally integrated into the user terminals and therefore not shown separately in FIG. 1). The network may be an Ethernet network, X.25 network, or the like, with TCP/IP protocol being used as the transport protocol (alternative transport protocols include IPX, Net BEUI, etc). Although it is not considered here in detail, the wire network 3 of FIG. 1 may be replaced by a wireless LAN, e.g. using radio signals to transmit data.
  • [0041]
    Also connected to the network (via respective network cards) are a number of so-called “protected systems” 4. These include a firewall 4 a, a mail server 4 b, a proxy server 4 c, and a database server 4 d. As will be known to the skilled person, the firewall 4 a provides a secure gateway between the network 1 and the “outside world”, in this case the Internet 5. All data traffic coming from the Internet 5 to the network 1 passes through the firewall 4 a where its access authority is checked. The firewall 4 a may also control the access of users 2 to the Internet 5. The mail server 4 b and the proxy server 4 c provide transit nodes for electronic mail and www traffic respectively. Data is routed between the mail server 4 b, the proxy server 4 c, and the Internet 5, via the firewall 4 a. The mail server 4 b may also act as a router for internal network electronic mail. The protected systems 4 also include a database server 4 d which acts as a gateway or transit node between the network and a central data storage facility 6. This facility is a repository for data shared by the network users 2.
  • [0042]
    An additional server 7 provides virus scanning functionality as will be described below. This virus scanning server 7 is coupled to the network 1 and in use communicates with the protected systems 4 and the administrator's workstation 2 a. The server 7 is able to communicate with the protected systems and workstation 2 a using for example standardised or proprietary protocols carried over the TCP/IP LAN 3.
  • [0043]
    Each of the protected systems 4 has stored in its memory a so-called “agent” application which is run by the systems in the background to the normal tasks performed by the systems. The function of an agent is to intercept data (in the form of files) which is being transferred through the system 4 on which the agent is running. An intercepted file is scanned on-the-fly by the agent to determine whether or not the file has a form which may contain a virus. Thus, the agent may identify files having a .doc, .exe, etc., filename extension, files corresponding to e-mails, e-mail attachment, or documents containing macros. It will be appreciated that new viruses are being continually created and that this list is not exhaustive.
  • [0044]
    Considering for example the firewall 4 a, this firewall will intercept files being transferred from the Internet 5 to the network 3 and possibly files travelling in the reverse direction. Similarly, the mail server 4 b and proxy server 4 c will intercept e-mails and www files respectively, whilst the database server 4 d scans files being transferred to and from the data storage facility 6. The network may be arranged such that the unnecessary duplication of tasks is avoided, e.g. the mail server 4 b does not scan files received from the firewall 4 a but only scans internally transferred mail.
  • [0045]
    Files which are not of a suspect type are “passed” by the agent and are routed by the system to an appropriate destination (e.g. a user 2). However, if an agent identifies a suspect file, then the agent initiates a dialogue with the virus scanning server 7 using a suitable network protocol. Currently, network protocols such as CVP and FNP are used to perform network dialogues and such protocols may be modified in order to implement the present method.
  • [0046]
    [0046]FIG. 2 illustrates schematically the server and agent arrangement and in particular the communication protocols which allow the server and agent to communicate. At the agent, the agent application sits on top of the modified FNP network protocol entity. Beneath the FNP entity are TCP/IP and IP entities, whilst the lowermost entity is the physical layer which provides the physical connection to the network. A similar stack exists at the scanning engine, with the agent application being replaced by the scanning engine application. The dashed lines in FIG. 2 illustrate the peer entity communications whilst the solid line coupling the physical entities illustrates the actual data transfer path.
  • [0047]
    [0047]FIG. 3 illustrates the data exchange process which takes place at the application level, between the agent application and the scanning engine application, following the identification at the agent of a file which requires virus scanning. The agent initiates the FNP dialogue by sending an Initiate Negotiation request to the scanning engine. This request may include, for example, an identification of the type of file to be scanned. Using the received information, the scanning engine determines which portions of the identified file it requires in order to perform the virus scan. For example, the scanning engine may determine that it requires only the template bits at the top of a Word™ file. The required portions are identified in a Request File Portions message which is sent to the agent.
  • [0048]
    The agent returns the requested portions to the scanning engine in a Return File Portions message (or several such messages), whereupon the scanning engine commences the virus scanning operation. This may include, for example, generating “signatures” for the received file portions and comparing these against signatures produced from known viruses. In certain cases, the scanning engine may determine that it requires further file portions from the agent. Upon completion of the scan, the scanning engine returns the result to the agent in a Return Scan Result message. In the event that no virus has been identified in the file, the agent allows the file transfer (or other operation involving the scanned file) to proceed.
  • [0049]
    In the event that a virus has been identified in the scanned file, one of several courses of action may be taken. Firstly, and as is illustrated beneath the dashed line in FIG. 3, a disinfection procedure may be carried out. This involves the scanning engine generating replacement file portions (on the basis the data previously transferred to the scanning engine from the agent, or using additionally transferred file portions), and returning these to the agent in a Write Instruction. The agent acts upon the Write Instruction by rewriting portions of the file to remove the virus infection. If no disinfection procedure is available, the file transfer procedure is suspended and the network administrator alerted, e.g. by sending a message over the network 1 from the agent to the network administrator's workstation.
  • [0050]
    [0050]FIG. 4 is a flow diagram illustrating the method described above.
  • [0051]
    It will be appreciated by the person of skill in the art that various modifications may be made to the above described embodiment without departing from the scope of the present invention. For example, whilst the above embodiment placed agents only at the firewall 4 a, mail server 4 b, proxy server 4 c, and database server 4 d, agents may also be present at one or more of the client computers 2.
Patent Citations
Cited PatentFiling datePublication dateApplicantTitle
US5649095 *Oct 4, 1993Jul 15, 1997Cozza; Paul D.Method and apparatus for detecting computer viruses through the use of a scan information cache
US6029256 *Dec 31, 1997Feb 22, 2000Network Associates, Inc.Method and system for allowing computer programs easy access to features of a virus scanning engine
US6035423 *Dec 31, 1997Mar 7, 2000Network Associates, Inc.Method and system for providing automated updating and upgrading of antivirus applications using a computer network
US6067410 *Feb 9, 1996May 23, 2000Symantec CorporationEmulation repair system
US6269456 *Jan 11, 2000Jul 31, 2001Network Associates, Inc.Method and system for providing automated updating and upgrading of antivirus applications using a computer network
US6347376 *Aug 12, 1999Feb 12, 2002International Business Machines Corp.Security rule database searching in a network security environment
US6516337 *Oct 14, 1999Feb 4, 2003Arcessa, Inc.Sending to a central indexing site meta data or signatures from objects on a computer network
US6535891 *Sep 26, 2000Mar 18, 2003Emc CorporationMethod and apparatus for indentifying accesses to a repository of logical objects stored on a storage system based upon information identifying accesses to physical storage locations
US6721847 *Feb 20, 2001Apr 13, 2004Networks Associates Technology, Inc.Cache hints for computer file access
Referenced by
Citing PatentFiling datePublication dateApplicantTitle
US6842861 *Mar 24, 2000Jan 11, 2005Networks Associates Technology, Inc.Method and system for detecting viruses on handheld computers
US6854062 *Oct 29, 2002Feb 8, 2005Hitachi, Ltd.Electronic device and communication method using bridging medium
US6963978 *Jul 26, 2001Nov 8, 2005Mcafee, Inc.Distributed system and method for conducting a comprehensive search for malicious code in software
US6965928 *Mar 9, 2001Nov 15, 2005Networks Associates Technology, Inc.System and method for remote maintenance of handheld computers
US6981280 *Jun 29, 2001Dec 27, 2005Mcafee, Inc.Intelligent network scanning system and method
US7310817 *Jul 26, 2001Dec 18, 2007Mcafee, Inc.Centrally managed malware scanning
US7334262 *Jan 22, 2004Feb 19, 2008Symantec CorporationProactive prevention of polymorphic SMTP worms
US7343624Jun 16, 2005Mar 11, 2008Sonicwall, Inc.Managing infectious messages as identified by an attachment
US7398399 *Dec 12, 2003Jul 8, 2008International Business Machines CorporationApparatus, methods and computer programs for controlling performance of operations within a data processing system or network
US7565495 *Apr 2, 2003Jul 21, 2009Symantec CorporationUsing disassociated images for computer and storage resource management
US7565517Sep 9, 2004Jul 21, 2009Symantec CorporationRetargeting a captured image to new hardware while in a pre-boot environment
US7591018 *Sep 14, 2004Sep 15, 2009Trend Micro IncorporatedPortable antivirus device with solid state memory
US7676842 *Mar 9, 2010Computer Associates Think, Inc.System and method for detecting malicious code
US7689835May 6, 2008Mar 30, 2010International Business Machines CorporationComputer program product and computer system for controlling performance of operations within a data processing system or networks
US7716736 *Apr 17, 2003May 11, 2010Cybersoft, Inc.Apparatus, methods and articles of manufacture for computer virus testing
US7752669Jul 31, 2008Jul 6, 2010International Business Machines CorporationMethod and computer program product for identifying or managing vulnerabilities within a data processing network
US7818739 *Jun 22, 2004Oct 19, 2010Mcafee, Inc.Virus detection system, method and computer program product for handheld computers
US7895651Feb 22, 2011Bit 9, Inc.Content tracking in a network security system
US7975304 *Jul 5, 2011Trend Micro IncorporatedPortable storage device with stand-alone antivirus capability
US8024306Sep 20, 2011International Business Machines CorporationHash-based access to resources in a data processing network
US8090393 *Jun 30, 2006Jan 3, 2012Symantec Operating CorporationSystem and method for collecting and analyzing malicious code sent to mobile devices
US8122508 *Oct 29, 2007Feb 21, 2012Sonicwall, Inc.Analyzing traffic patterns to detect infectious messages
US8127358 *May 30, 2007Feb 28, 2012Trend Micro IncorporatedThin client for computer security applications
US8141154 *Jun 14, 2010Mar 20, 2012Finjan, Inc.System and method for inspecting dynamically generated executable code
US8204945Oct 9, 2008Jun 19, 2012Stragent, LlcHash-based systems and methods for detecting and preventing transmission of unwanted e-mail
US8272058Sep 18, 2012Bit 9, Inc.Centralized timed analysis in a network security system
US8272060Apr 18, 2010Sep 18, 2012Stragent, LlcHash-based systems and methods for detecting and preventing transmission of polymorphic network worms and viruses
US8302196Oct 30, 2012Microsoft CorporationCombining assessment models and client targeting to identify network security vulnerabilities
US8505101 *Dec 13, 2011Aug 6, 2013Trend Micro IncorporatedThin client for computer security applications
US8667593 *May 11, 2011Mar 4, 2014Re-Sec Technologies Ltd.Methods and apparatuses for protecting against malicious software
US8689327 *Sep 14, 2010Apr 1, 2014Google Inc.Method for characterization of a computer program part
US8776229Aug 28, 2013Jul 8, 2014Fireeye, Inc.System and method of detecting malicious traffic while reducing false positives
US8793787Jan 23, 2009Jul 29, 2014Fireeye, Inc.Detecting malicious network content using virtual environment components
US8813222 *Jan 21, 2009Aug 19, 2014Bitdefender IPR Management Ltd.Collaborative malware scanning
US8832829Sep 30, 2009Sep 9, 2014Fireeye, Inc.Network-based binary file extraction and analysis for malware detection
US8850566Oct 29, 2007Sep 30, 2014Sonicwall, Inc.Time zero detection of infectious messages
US8850571Nov 3, 2008Sep 30, 2014Fireeye, Inc.Systems and methods for detecting malicious network content
US8881282Mar 12, 2007Nov 4, 2014Fireeye, Inc.Systems and methods for malware attack detection and identification
US8898774 *Jun 25, 2009Nov 25, 2014Accenture Global Services LimitedMethod and system for scanning a computer system for sensitive content
US8898788Mar 12, 2007Nov 25, 2014Fireeye, Inc.Systems and methods for malware attack prevention
US8898789 *Jun 14, 2011Nov 25, 2014Honeywell International Inc.Detecting malicious software on a computing device with a mobile device
US8903920 *Oct 24, 2005Dec 2, 2014At&T Intellectual Property I, L.P.Detection and prevention of e-mail malware attacks
US8935779Jan 13, 2012Jan 13, 2015Fireeye, Inc.Network-based binary file extraction and analysis for malware detection
US8955106Aug 24, 2007Feb 10, 2015Sonicwall, Inc.Managing infectious forwarded messages
US8955136Feb 20, 2012Feb 10, 2015Sonicwall, Inc.Analyzing traffic patterns to detect infectious messages
US8984636Jul 29, 2005Mar 17, 2015Bit9, Inc.Content extractor and analysis system
US8984638Nov 12, 2013Mar 17, 2015Fireeye, Inc.System and method for analyzing suspicious network data
US8990939Jun 24, 2013Mar 24, 2015Fireeye, Inc.Systems and methods for scheduling analysis of network content for malware
US8990944Feb 23, 2013Mar 24, 2015Fireeye, Inc.Systems and methods for automatically detecting backdoors
US8997219Jan 21, 2011Mar 31, 2015Fireeye, Inc.Systems and methods for detecting malicious PDF network content
US9009459 *Mar 12, 2012Apr 14, 2015Symantec CorporationSystems and methods for neutralizing file-format-specific exploits included within files contained within electronic communications
US9009822Feb 23, 2013Apr 14, 2015Fireeye, Inc.Framework for multi-phase analysis of mobile applications
US9009823Feb 23, 2013Apr 14, 2015Fireeye, Inc.Framework for efficient security coverage of mobile software applications installed on mobile devices
US9027135Feb 21, 2007May 5, 2015Fireeye, Inc.Prospective client identification using malware attack detection
US9071638Oct 21, 2013Jun 30, 2015Fireeye, Inc.System and method for malware containment
US9104867Mar 13, 2013Aug 11, 2015Fireeye, Inc.Malicious content analysis using simulated user interaction without user involvement
US9106694Apr 18, 2011Aug 11, 2015Fireeye, Inc.Electronic message analysis for malware detection
US9117081Dec 20, 2013Aug 25, 2015Bitdefender IPR Management Ltd.Strongly isolated malware scanning using secure virtual containers
US9118715May 10, 2012Aug 25, 2015Fireeye, Inc.Systems and methods for detecting malicious PDF network content
US9154511Jun 16, 2005Oct 6, 2015Dell Software Inc.Time zero detection of infectious messages
US9159035Feb 23, 2013Oct 13, 2015Fireeye, Inc.Framework for computer application analysis of sensitive information tracking
US9171160Sep 30, 2013Oct 27, 2015Fireeye, Inc.Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses
US9176843Feb 23, 2013Nov 3, 2015Fireeye, Inc.Framework for efficient security coverage of mobile software applications
US9182969Sep 28, 2007Nov 10, 2015Symantec CorporationUsing disassociated images for computer and storage resource management
US9189627Nov 21, 2013Nov 17, 2015Fireeye, Inc.System, apparatus and method for conducting on-the-fly decryption of encrypted objects for malware detection
US9195829Feb 23, 2013Nov 24, 2015Fireeye, Inc.User interface with real-time visual playback along with synchronous textual analysis log display and event/time index for anomalous behavior detection in applications
US9197664Feb 11, 2015Nov 24, 2015Fire Eye, Inc.System and method for malware containment
US9223972Mar 31, 2014Dec 29, 2015Fireeye, Inc.Dynamically remote tuning of a malware content detection system
US9225740Sep 24, 2014Dec 29, 2015Fireeye, Inc.Framework for iterative analysis of mobile software applications
US9230111Nov 6, 2013Jan 5, 2016Symantec CorporationSystems and methods for protecting document files from macro threats
US9237163Dec 19, 2014Jan 12, 2016Dell Software Inc.Managing infectious forwarded messages
US9241010Mar 20, 2014Jan 19, 2016Fireeye, Inc.System and method for network behavior detection
US9251343Mar 15, 2013Feb 2, 2016Fireeye, Inc.Detecting bootkits resident on compromised computers
US9262635Feb 5, 2014Feb 16, 2016Fireeye, Inc.Detection efficacy of virtual machine-based analysis with application specific events
US9282109Jun 30, 2014Mar 8, 2016Fireeye, Inc.System and method for analyzing packets
US9294501Sep 30, 2013Mar 22, 2016Fireeye, Inc.Fuzzy hash of behavioral results
US9300686Jul 18, 2013Mar 29, 2016Fireeye, Inc.System and method for detecting malicious links in electronic messages
US9306960Aug 19, 2013Apr 5, 2016Fireeye, Inc.Systems and methods for unauthorized activity defense
US9306974Feb 11, 2015Apr 5, 2016Fireeye, Inc.System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits
US9311479Mar 14, 2013Apr 12, 2016Fireeye, Inc.Correlation and consolidation of analytic data for holistic view of a malware attack
US9317679 *Nov 6, 2013Apr 19, 2016Symantec CorporationSystems and methods for detecting malicious documents based on component-object reuse
US9325724Aug 28, 2014Apr 26, 2016Dell Software Inc.Time zero classification of messages
US20020147780 *Apr 9, 2001Oct 10, 2002Liu James Y.Method and system for scanning electronic mail to detect and eliminate computer viruses using a group of email-scanning servers and a recipient's email gateway
US20030009690 *Jun 29, 2001Jan 9, 2003Grupe Robert R.Intelligent network scanning system and method
US20030023866 *Jul 26, 2001Jan 30, 2003Hinchliffe Alex JamesCentrally managed malware scanning
US20030088662 *Oct 29, 2002May 8, 2003Hitachi, Ltd.Electronic device and communication method using bridging medium
US20030097378 *Nov 20, 2001May 22, 2003Khai PhamMethod and system for removing text-based viruses
US20030191911 *Apr 2, 2003Oct 9, 2003Powerquest CorporationUsing disassociated images for computer and storage resource management
US20030217286 *Apr 10, 2003Nov 20, 2003Itshak CarmonaSystem and method for detecting malicious code
US20040049698 *Sep 6, 2002Mar 11, 2004Ott Allen EugeneComputer network security system utilizing dynamic mobile sensor agents
US20040158741 *Feb 7, 2003Aug 12, 2004Peter SchneiderSystem and method for remote virus scanning in wireless networks
US20040210769 *Apr 17, 2003Oct 21, 2004Cybersoft, Inc.Apparatus, methods and articles of manufacture for computer virus testing
US20040237079 *Jun 22, 2004Nov 25, 2004Networks Associates Technology, Inc.Virus detection system, method and computer program product for handheld computers
US20050132184 *Dec 12, 2003Jun 16, 2005International Business Machines CorporationApparatus, methods and computer programs for controlling performance of operations within a data processing system or network
US20050132205 *Dec 12, 2003Jun 16, 2005International Business Machines CorporationApparatus, methods and computer programs for identifying matching resources within a data processing network
US20050138426 *Nov 8, 2004Jun 23, 2005Brian StyslingerMethod, system, and apparatus for managing, monitoring, auditing, cataloging, scoring, and improving vulnerability assessment tests, as well as automating retesting efforts and elements of tests
US20050166268 *Jan 22, 2004Jul 28, 2005Symantec CorporationProactive prevention of polymorphic SMTP worms
US20050177720 *Feb 10, 2004Aug 11, 2005Seiichi KatanoVirus protection for multi-function peripherals
US20050177748 *Feb 10, 2004Aug 11, 2005Seiichi KatanoVirus protection for multi-function peripherals
US20050228695 *Dec 20, 2004Oct 13, 2005Fuji Photo Film Co., Ltd.Hospital management apparatus and method, and computer-readable medium
US20060080517 *Nov 14, 2003Apr 13, 2006Brown Christopher L TAccessing a protected area of a storage device
US20060161987 *Dec 30, 2005Jul 20, 2006Guy Levy-YuristaDetecting and remedying unauthorized computer programs
US20070083930 *Oct 11, 2005Apr 12, 2007Jim DumontMethod, telecommunications node, and computer data signal message for optimizing virus scanning
US20070244920 *May 16, 2007Oct 18, 2007Sudarshan PalliyilHash-Based Access To Resources in a Data Processing Network
US20070261118 *Apr 28, 2006Nov 8, 2007Chien-Chih LuPortable storage device with stand-alone antivirus capability
US20070294765 *Aug 24, 2007Dec 20, 2007Sonicwall, Inc.Managing infectious forwarded messages
US20080104703 *Oct 29, 2007May 1, 2008Mailfrontier, Inc.Time Zero Detection of Infectious Messages
US20080134336 *Oct 29, 2007Jun 5, 2008Mailfrontier, Inc.Analyzing traffic patterns to detect infectious messages
US20080163372 *Mar 8, 2007Jul 3, 2008Matrix Xin WangAnti-virus system for IMS network
US20080208935 *May 6, 2008Aug 28, 2008International Business Machines CorporationComputer Program Product and Computer System for Controlling Performance of Operations within a Data Processing System or Networks
US20090019547 *Jul 31, 2008Jan 15, 2009International Business Machines CorporationMethod and computer program product for identifying or managing vulnerabilities within a data processing network
US20090077665 *Mar 20, 2006Mar 19, 2009Matsushita Electric Industrial Co., Ltd.Method and applications for detecting computer viruses
US20100154062 *Dec 16, 2008Jun 17, 2010Elad BaramVirus Scanning Executed Within a Storage Device to Reduce Demand on Host Resources
US20100251373 *Sep 30, 2010Finjan, Inc.System and method for inspecting dynamically generated executable code
US20100333199 *Jun 25, 2009Dec 30, 2010Accenture Global Services GmbhMethod and system for scanning a computer system for sensitive content
US20110067010 *Mar 17, 2011zynamics GmbHMethod for Characterization of a Computer Program Part
US20110202998 *Aug 18, 2011zynamics GmbHMethod and System for Recognizing Malware
US20120324577 *Jun 14, 2011Dec 20, 2012Honeywell International Inc.Detecting malicious software on a computing device with a mobile device
US20150007324 *Jun 27, 2013Jan 1, 2015Secureage Technology, Inc.System and method for antivirus protection
US20150067854 *Jun 16, 2014Mar 5, 2015Electronics And Telecommunications Research InstituteApparatus and method for multi-checking for mobile malware
US20150205979 *May 9, 2013Jul 23, 2015Beijing Qihoo Technology Company LimitedMethod and system for repairing file at user terminal
WO2002082270A1 *Apr 12, 2001Oct 17, 2002Gallantry Technologies, Inc.Method and system for scanning electronic mail to detect and eliminate computer viruses using a group of email-scanning servers and a recipient's email gateway
WO2009023294A2 *Mar 19, 2008Feb 19, 2009Microsoft CorporationCombining assessment models and client targeting to identify network security vulnerabilities
Classifications
U.S. Classification726/24, 713/188
International ClassificationG06F21/56, H04L29/06, G06F1/00
Cooperative ClassificationG06F21/56, H04L63/145
European ClassificationG06F21/56, H04L63/14D1
Legal Events
DateCodeEventDescription
Dec 21, 2000ASAssignment
Owner name: F-SECURE OYJ, FINLAND
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ALBRECHT, MIKAEL;REEL/FRAME:011394/0071
Effective date: 20001115
Aug 26, 2009FPAYFee payment
Year of fee payment: 4
Nov 10, 2009SULPSurcharge for late payment
Sep 1, 2013FPAYFee payment
Year of fee payment: 8